Bug 2368956 (CVE-2025-48734)

Summary: CVE-2025-48734 commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, adupliak, anthomas, aprice, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, chfoley, cmah, cmiranda, csutherl, darran.lofthouse, dbruscin, dhanak, dkreling, dnakabaa, dosoudil, drosa, eaguilar, ebaron, ecerquei, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, haoli, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jbuscemi, jcammara, jcantril, jclere, jmitchel, jneedle, jnethert, jolong, jpechane, jpoth, jrokos, jross, jsamir, jscholz, juwatts, kaycoth, kegrant, kholdawa, koliveir, kshier, kvanderr, kverlaen, lcouzens, lgao, mabashia, mhulan, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nmoumoul, nwallace, oezr, osousa, pantinor, parichar, pbizzarr, pbraun, pcongius, pcreech, pdelbell, periklis, pesilva, pjindal, plodge, pmackay, porcelli, rchan, rguimara, rkieley, rkubis, rojacob, rstancel, rstepani, sausingh, sfroberg, shvarugh, simaishi, smaestri, smallamp, smcdonal, ssilvert, stcannon, sthorger, swoodman, szappis, tasato, tcunning, teagle, tfister, thavo, tom.jenkinson, vmuzikar, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2369089, 2369094, 2369088, 2369090, 2369091, 2369092, 2369093, 2369095    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-28 14:01:19 UTC 
Improper Access Control vulnerability in Apache Commons.



A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.





Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.


Users of the artifact org.apache.commons:commons-beanutils2

 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Comment 2 errata-xmlrpc 2025-06-05 02:19:47 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:8265 https://access.redhat.com/errata/RHSA-2025:8265
Comment 3 errata-xmlrpc 2025-06-11 15:34:12 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2025:8919 https://access.redhat.com/errata/RHSA-2025:8919
Comment 4 errata-xmlrpc 2025-06-16 14:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:9114 https://access.redhat.com/errata/RHSA-2025:9114
Comment 5 errata-xmlrpc 2025-06-16 15:02:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2025:9115 https://access.redhat.com/errata/RHSA-2025:9115
Comment 6 errata-xmlrpc 2025-06-16 15:04:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.22

Via RHSA-2025:9117 https://access.redhat.com/errata/RHSA-2025:9117
Comment 8 errata-xmlrpc 2025-06-17 09:05:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:9166 https://access.redhat.com/errata/RHSA-2025:9166
Comment 9 errata-xmlrpc 2025-06-23 03:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:9318 https://access.redhat.com/errata/RHSA-2025:9318